Skip to content

Azure-Samples/Project_Confidential_Apps_for_IoT_with_Enclaves

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.vscode
 
 
docs
 
 
src
 
 
LICENSE
 
 
README.md
 
 
azuredeploy.json
 
 
Enclave Device Blueprint for Confidential Computing at the Edge Welcome The Blueprint Components Packaging Tooling Installation Key Management Architecture Getting Started Where To Learn More

README.md

Enclave Device Blueprint for Confidential Computing at the Edge

Welcome

This sample project brings together everything that you need in order to learn about and get familiar with the Enclave Device Blueprint for Confidential Computing at the Edge. This blueprint is being developed as a collaboration between Microsoft, Scalys and Arm. It is intended to enable the mainstream adoption of confidential computing practices in edge computing deployments.

The Blueprint

The Enclave Device Blueprint was launched at Arm DevSummit in October 2021. You may have just watched the session or read the whitepaper and you are keen to learn more. This sample will get you started with the process of exploring the blueprint and putting it into practice. Here you will find instructions, sample source code, and links to a variety of resources to get started with the blueprint using cloud services from Microsoft Azure, and the Scalys TrustBox Edge 201 (below).

Scalys TrustBox Edge 201

The purpose of the blueprint is to enable the execution of confidential computing workloads at the edge. The TrustBox Edge 201 is an edge computing device that is capable of executing confidential computing workloads by utilizing the hardware-enforced isolation capabilities of Arm TrustZone. Alongside the device, the blueprint brings additional tools and architectural patterns to ensure that workloads are delivered with end-to-end protection of their confidentiality, right from the point where the application is built, all the way to the point of execution within the hardware-isolated enclave. The code and resources in this sample will allow you to realize this blueprint for a demo application that uses a confidential Machine Learning model.

Components

Blueprint Components

Packaging

The open-source specifications for Confidential Packaging are being maintained in GitHub. Head to the repository to understand details such as the file format.

Tooling

The open-source tools for the building and installation of Confidential Package files are being actively developed using the Rust programming language. Head over to the GitHub repository to learn how to build and use the tools in your own deployments.

Installation

The Confidential Package Manager (CPM) is the component that is responsible for installing confidential workloads and getting them ready for execution on the device. The Scalys TrustBox Edge 201 comes with this component already built in, so you will not need to build it yourself in order to get started. However, this component is also being developed fully in open-source, and you can find it on GitHub.

Key Management

The Enclave Device Blueprint offers a very flexible model for key management. In this sample you can learn how to use the Azure Key Vault service to safeguard the cryptographic keys that are needed to protect your confidential workloads. You will also see an example of how Azure Functions can be used to provide the secure access and distribution of keys to both your build pipeline and your edge devices.

Architecture

The image below shows how the components of the blueprint interact. The end goal is to build, publish, deploy and execute confidential applications such that their contents are not revealed anywhere in between the point where they are first built, up until the point where they are installed and executing within a hardware-isolated enclave on the edge device.

In the build pipeline, the application is transformed into a Confidential Package file, which applies a layer of encryption using a key that is shared securely from the key vault in the cloud. The Confidential Package file can also embed signatures, certificates and other resources that will allow the target edge device to verify its authenticity. Once it is built, the Confidential Package file can easily be embedded in a container, along with the other non-confidential parts of the application. This allows for the confidential workload to be distributed to its target edge devices very conveniently, using the familiar mechanism of container repositories.


Solution Architecture

Getting Started

This sample project realizes the blueprint solution architecture using Microsoft Azure. To get started, you will need to set up an Azure account and populate it with some required resources. Head over to the Azure environment setup guide to find out how to do this.

Note: The Azure Samples team is working on a fully-automated environment set-up. If you are not comfortable following the manual steps documented in the link above, check back here soon for some additional content!

The next stage will be to build the demo application and deploy it to your device. It's time to head over to the GitHub repository for the OpenEnclave Machine Learning demo in order to complete your exploration of this Azure Sample project.

Where To Learn More

About

Project endeavour between MICROSOFT, SCALYS and ARM on Building Confidential Apps for IoT with Enclaves

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Stars

0 stars

Watchers

14 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 5

Languages